An interesting exchange of opinions recently occurred between two of my favorite news sources related to information technology security.
Since we are still in the midst of a month declared by the federal government as “Cybersecurity Awareness Month” (see both https://www.dhs.gov/national-cyber-security-awareness-month and https://staysafeonline.org/ncsam/), which is an effort to increase security awareness among regular technology users, the disagreement is interesting.
The premise of “cybersecurity awareness” is that all computer users need to be trained to be more knowledgeable and to apply their experience, knowledge and expertise in making the use of modern technology more secure. This is a worthy goal, I believe.
However, Bruce Schneier, a highly respected security expert and author, persuasively argued recently that maybe the computing industry should be less focused on educating the user and more on fixing the current state of technology:
Stop Trying to Fix the User
I am sure that many technology users will agree that there are basic technology fixes that should happen! However, Lance Spitzer, the training director for the Securing the Human of the SANS Institute and security blogger for Educause disagreed with Bruce’s emphasis on the technology:
Why Bruce is Wrong
The college’s Information Technology Services division does as much as can be done technically to ensure that all users have as safe a computing experience as they can on campus. However, given the state of computing technology, solving IT security issues with technical solutions is never going to be enough to make them non-existent.
Every one of you, as users of college systems, are still an important part of a robust security solution, and your ability to recognize something is wrong often proves better than the best technology solution.
So in a way, both of these authors are correct: There absolutely should be better, more secure technological ways of doing some of the everyday things we do with computers, like click a link or login, but until that exists, users need to be better trained and more aware of how to evaluate the risks inherent in technology use on a daily basis and to respond when they experience attacks by malicious users.
This will continue to be an interesting discussion, I think…